Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.

Desired Outcomes

Information security governance consists of the leadership,
organizational structures and processes that safeguard information.
Critical to the success of these structures and processes is effective
communication amongst all parties based on constructive relationships,
a common language, and shared commitment to addressing the issues. The
five basic outcomes of information security governance should include:

Strategic alignment of information security with business strategy to support organizational objectives

Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources
to an acceptable level

Value delivery by optimizing information security investments in support of organizational objectives

[...]

Process Integration

A promising concept, driven in large part by the increasing tendency
to segment security into separate but related functions, focuses on
the integration of an organisation’s management assurance processes
regarding security. This can serve to improve overall security and
operational efficiencies.

These activities are at times fragmented and
segmented in silos with different reporting structures. They tend to
use different terminology and generally reflect different
understandings of their processes and outcomes with, at times, little
in common. This makes it difficult, if not impossible, to seamlessly
integrate them. Results include overlapping security initiatives,
which waste resources, or major gaps that can lead to serious security
compromises.

There is no one-size-fits-all model, but we have a few strong frameworks to aid in governance. The NIST Cyber Security Framework (CSF) is a strong, dominant framework for addressing cyber risk in that it is outcomes-focused. For defining a common language, the OpenGroup FAIR standard documents a strong, dominant information risk-analysis model that includes very-specific language, in addition to variable selection, et al. FAIR does not tell an organization how to calculate, but it does lay out the calculables. A book reference I would recommend is Measuring and Managing Information Risk, where FAIR is shown to utilize PERT analyses with Monte Carlo Simulations to produce an accurate picture of information risk that many businesses can rely on to be the state-of-the art in accuracy. The authors also show their work and document where else information risk analysis models are being developed.

For process integration, we should see existing structures outside of IT merge with cyber risk. Many colleagues and I have been discussing how BCDR risks work alongside or simultaneous to cyber risks. If your org has an existing BCDR program (or subset), it may strike up interesting conversations to say the least -- especially that can aid the risk communication cycle with executive management. Some orgs may have other places this can occur, such as physical security, corporate security intelligence, a risk office (or committee), etc.

Depending on the culture and structure of your executives and the business, some models and frameworks will work better than others. Some businesses and top-level processes run on experiments -- some strongly tied to the scientific method. Very often, the business works the top-line and bottom-line of their financials. Given the time value of money, many executives trained with financials see that investing in growing the business will pay dividends for the business (and its shareholders, who many executives work for). While nobody knows why certain organizations have cyber security budgets at the levels they do (or how they get to those numbers), at least we do have some research on what those budgets typically are: If the company's revenue is under $100M/year, they should be spending around $800K/year on cyber security; if $100M-$1B/year, spend should be over $3M/year; if revenue is over $1B/year then the cyber security budget should be over $30M/year -- (Original sources: https://web.archive.org/web/20160315032510/http://blogs.wsj.com:80/moneybeat/2015/09/09/cybersecurity-index-beats-sp-500-by-120-heres-why-in-charts/ --
http://www.cyberrisknetwork.com/2015/09/24/data-spotlight-cybersecurity-budgets/ , N.B., as of Q2-2017 this second source is no longer available and the images were difficult to locate even via archive.org. Knowing what we know from the Equifax data breach, for companies with revenue of over $1B/year, the cybersecurity spend should be at least $40M/year. A new study would greatly help this simple approach to budget allocation).

There may be hybrid models, and more often than not -- balancing risks with business needs comes down to a cost-benefit analysis (CBA). Krag Brotby wrote a few books on security metrics and other topics where this is partially covered. However, the idea of a CBA has been around for quite some time. You can Wikipedia concepts such as Opportunity cost or Sunk costs to find out more. Also in this vein comes from a book, A New Framework for IT Investment Decisions, that uses either Hubbard AIE and/or the Black-Scholes model to provide Notional Value / Potential Impact. Using the Black-Scholes model, one can treat investments as options where the underlying assets are the IT systems, the current value is NPV from IT projects, volatility is uncertainty in cash flow from IT projects, the exercise price is the investment required, and the exercise date is the date for developing the IT project. Hubbard AIE is covered in the book, How to Measure Anything in Cybersecurity Risk.

I have found hybrid models to be useful. Combine all of these ideas but still keep it simple. A useful aid when integrating cyber risk processes to existing business processes (such as BCDR) is the Multiple-Scenarios Generation Technique, as well as related analytical techniques. Scenario planning is a common strategy tool, but other tools such as SWOT Analysis, Hoshin Planning, Porter's Value Chain, and other strategic business concepts may also be useful. I think these are great places to start, but to get to a common language, such as FAIR, is really the ultimate challenge for a cyber risk register that has a model approaching closeness to reality. Maybe not exact reality, but a useful model that supports the business needs at the time. The problem with cyber is that the models typically need to be updated (or somehow self adjust to global cyber-risk events) hourly or daily.